📅 Original date posted:2018-07-06
📝 Original message:On Fri, Jul 6, 2018 at 9:05 PM, Russell O'Connor via bitcoin-dev
<bitcoin-dev at lists.linuxfoundation.org> wrote:
> If the inputs to hash were reordered as hash(bytes(dG) || bytes(x(R)) || m)
> then there is an opportunity for SHA256 expander to be partially prefilled
> for a fixed public key. This could provide a little benefit, especially
> when multiple signatures for a single public key need to be generated and/or
> verified. If all things are otherwise equal, perhaps this alternate order
> is better.
There is a minor design preference to have message before nonce when
H() is a MD-style hash function. Say the attacker knows some weakness
in H and can find pairs of messages m and m' so that the compression
function results in the same midstate. He could then ask you to sign
m but get a signature that also works for m'. If the signer
controlled R value comes first, then this doesn't work. The pubkey
being where it is in the current design just follows from the idea
that it is just logically prepended on the message. I don't think the
pubkey is sufficiently attacker controlled that the above argument
would apply, so H(P || R.x || m) would be okay.
BUT, the sha256 compression function reads 64 bytes at a time. PRM
would not let you precompute a whole compression function run, but
instead would just let you hardwire part of the expander in a pubkey
dependant way-- an optimization I'm pretty confident virtually no one
would use. (Hardwiring to a constant, yes. Hardwiring to a reused
dynamic value that comes in from the network, no)
If instead the hash function were defined as using 31 zeros then
P||R||m (or P || 31 zeros bytes || R || m, I'm not sure what would be
better), an entire midstate could be cached for different pubkeys. m
is often 32 bytes, sadly- - but the final compression run in that case
would only be the constant update with the length.... and
almost-all-zeros + constant length, is an easy optimization. (Bitcoin
core even has it for computing sha256(sha256())).
[I'm not really sure if I was clear, so I'll try TLDRing it: I think
optimizing sha256 where part of the input is constant is realistic,
optimizing midstate reuse is realistic, optimizing where part is
reused is less realistic. If we insert padding, and put P first, we
can make it possible to midstate cache P, and the 'extra' compression
function run ends up with all constant input, so it could be made
faster.]
Gregory Maxwell [ARCHIVE] /
npub1f2…crwet
2023-06-07 18:13:38
in reply to nevent1q…j0ax
Author Public Key
npub1f2nvlx49er5c7sqa43src6ssyp6snd4qwvtkwm5avc2l84cs84esecrwetPublished at
2023-06-07 18:13:38Event JSON
{
"id": "e3e89b37e0e22caadeccc47af4c4b0cd8ee4912b9bafb96be1e8419fa2cdc234",
"pubkey": "4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73",
"created_at": 1686161618,
"kind": 1,
"tags": [
[
"e",
"dcbab9d1f7a86282b42a917be667848bce85642924479a3938b3d5ae76f245c4",
"",
"root"
],
[
"e",
"3d0be8390f2e899fdc50cac76dcda5c82085054c76aeeffac4703cb6c528d141",
"",
"reply"
],
[
"p",
"6b8e77368804013d7126ba4b77c7963bcfeff909135791531097d7a0f03ca85d"
]
],
"content": "📅 Original date posted:2018-07-06\n📝 Original message:On Fri, Jul 6, 2018 at 9:05 PM, Russell O'Connor via bitcoin-dev\n\u003cbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\u003e If the inputs to hash were reordered as hash(bytes(dG) || bytes(x(R)) || m)\n\u003e then there is an opportunity for SHA256 expander to be partially prefilled\n\u003e for a fixed public key. This could provide a little benefit, especially\n\u003e when multiple signatures for a single public key need to be generated and/or\n\u003e verified. If all things are otherwise equal, perhaps this alternate order\n\u003e is better.\n\nThere is a minor design preference to have message before nonce when\nH() is a MD-style hash function. Say the attacker knows some weakness\nin H and can find pairs of messages m and m' so that the compression\nfunction results in the same midstate. He could then ask you to sign\nm but get a signature that also works for m'. If the signer\ncontrolled R value comes first, then this doesn't work. The pubkey\nbeing where it is in the current design just follows from the idea\nthat it is just logically prepended on the message. I don't think the\npubkey is sufficiently attacker controlled that the above argument\nwould apply, so H(P || R.x || m) would be okay.\n\nBUT, the sha256 compression function reads 64 bytes at a time. PRM\nwould not let you precompute a whole compression function run, but\ninstead would just let you hardwire part of the expander in a pubkey\ndependant way-- an optimization I'm pretty confident virtually no one\nwould use. (Hardwiring to a constant, yes. Hardwiring to a reused\ndynamic value that comes in from the network, no)\n\nIf instead the hash function were defined as using 31 zeros then\nP||R||m (or P || 31 zeros bytes || R || m, I'm not sure what would be\nbetter), an entire midstate could be cached for different pubkeys. m\nis often 32 bytes, sadly- - but the final compression run in that case\nwould only be the constant update with the length.... and\nalmost-all-zeros + constant length, is an easy optimization. (Bitcoin\ncore even has it for computing sha256(sha256())).\n\n[I'm not really sure if I was clear, so I'll try TLDRing it: I think\noptimizing sha256 where part of the input is constant is realistic,\noptimizing midstate reuse is realistic, optimizing where part is\nreused is less realistic. If we insert padding, and put P first, we\ncan make it possible to midstate cache P, and the 'extra' compression\nfunction run ends up with all constant input, so it could be made\nfaster.]",
"sig": "9b81048f3972ffe875c39c3655b79796d0fad4776fe2981b2f76ec1e16813c3a5ba37768067c629a3a001131a7c82f87b666bc0b4eee3fdbe2eac8fb6bbe5ce5"
}